C# code to automatically give IIS write access to a folder on Windows Server 2008? Currently throws exception

Question

I am trying to write a command line tool that will give IIS7.5 on windows server 2008 write access to a folder in the wwwroot, so that a web application has access to write to a specific folder within it's base directory. Formerly, you would do this by assigning the IIS_WPG group on the folder giving that group Modify access.

In Server 2008 I'm trying to do the same thing with IIS_IUSRS, but an exception is ocurring.

Here is the code:

private static void ManagePermissions(string directory, string account, FileSystemRights rights, AccessControlType controlType, bool addAccess)
{
    DirectoryInfo directoryInfo = new DirectoryInfo(directory);
    DirectorySecurity directorySecurity = directoryInfo.GetAccessControl();

    if (addAccess)
        directorySecurity.AddAccessRule(
            new FileSystemAccessRule(account, rights, controlType));
    else
        directorySecurity.RemoveAccessRule(
            new FileSystemAccessRule(account, rights, controlType));

    directoryInfo.SetAccessControl(directorySecurity);
}

The call to this method is as follows:

ManagePermissions(
                  "c:\inetpub\wwwroot", 
                  "MACHINENAME\IIS_IUSRS", 
                  FileSystemRights.Modify, 
                  AccessControlType.Allow, 
                  true);

When execute that call to ManagePermissions an exception is thrown with the following type and message:

System.Security.Principal.IdentityNotMappedException: 
    Some or all identity references could not be translated.

I've checked multiple times to ensure that MACHINENAME\IIS_IUSRS is an exact match with the user in the local user manager on the machine this code is executing on. This machine does not participate in a windows domain.

Let me know if you need any further clarification.

Answer 1

IIS_IUSRS is a built in group, so it should not be referenced with [machinename]\IIS_IUSRS but with BUILTIN\IIS_IUSRS. Like so:

ManagePermissions( 
                  "c:\inetpub\wwwroot",  
                  "BUILTIN\IIS_IUSRS",  
                  FileSystemRights.Modify,  
                  AccessControlType.Allow,  
                  true);

Switching to that way of referencing the user fixed my code. I get the account in a slightly different way than referenced in your example:

IdentityReference user = new NTAccount(UserDomain + @"\" + UserName);

And then use it via a different constructor so that may affect the translation as well but I doubt it:

var rule = new FileSystemAccessRule(user, ..., ..., ..., ...);

Answer 2

Update: recently I've seen error with adding full control to user IIS_IUSRS on non-english windows (Windows server 2008 R2 x64 IIS7).

Despite that IIS_IUSRS is not translated, 'BUILTIN' in front of it can cause an error

So, be aware of using "BUILTIN\IIS_IUSRS", use just 'IIS_IUSRS' instead - its working on both english and non-english windows